On November 19, 2025, the European Commission published its proposal for a Regulation of the European Parliament and of the Council on the simplification of the digital legislative framework and support innovation (the “Digital Package”).¹

The Digital Package, among others, represents a comprehensive legislative proposal aimed at streamlining and consolidating the EU’s increasingly complex digital regulatory framework, which has evolved through the successive adoption of key instruments such as the AI Act, the Data Act, the Digital Services Act (DSA), and the Digital Markets Act (DMA). In this regard, the Commission has recognized that growing regulatory overlap and procedural complexity have not only imposed excessive compliance burdens on businesses but have also hindered corporate innovation and growth. Accordingly, the Digital Package seeks to organize and integrate these fragmented regulatory regimes into a more unified and coherent system, with a view to reducing unnecessary complexity and improving overall regulatory efficiency.

In this newsletter, we outline the key elements of the Digital Package and examine its potential implications for the future direction of Korea’s AI and data governance framework.

1. Key Elements of the Digital Package² 

The Digital Package is structured around three mutually reinforcing components:

• the Digital Omnibus (which focuses on simplifying and aligning existing digital regulations),
• the Data Union Strategy, and
• the Regulation on the European Business Wallet.

The main components are as follows.

(1) Simplification and Relaxation of Data-Related Legislation

• To improve predictability and reduce unnecessary administrative burdens, data governance rules currently dispersed across multiple instruments would be structurally consolidated around two principal regulatory pillars: the Data Act and the GDPR. 
• Where there is a demonstrable risk of unlawful acquisition, use or disclosure of trade secrets, data holders shall be entitled to refuse disclosure requests from third-country authorities operating under legal systems providing lower standards of protection than the EU framework.
• Small and Medium-sized Enterprises (“SMEs”), Small Mid-Caps (“SMCs”), and providers of bespoke data-processing services would benefit from exemptions from certain cloud portability and switching obligations under the Data Act.
• The data altruism framework under Regulation (EU) 2022/868 would be simplified with a view to facilitating and promoting the voluntary provision of data by individuals and businesses for purposes of public interest.
  * Data altruism refers to a framework under which data subjects and data holders voluntarily consent, without seeking financial compensation, to the processing of their personal data or to the use of their non-personal data for purposes serving the public interest.
• The scope of “special categories of personal data” under Article 9 GDPR would be narrowed, such that enhanced protection would apply to personal data that directly and explicitly discloses sensitive attributes (such as racial or ethnic origin, religious beliefs, or health status), and not to data from which such characteristics are merely inferable.
• Public-sector access to private-sector data would be strictly limited to situations of “public emergency,” replacing the broader concept of “exceptional need” and thereby reducing non-crisis data-sharing obligations imposed on businesses.

(2) Simplification of AI Regulation

• To facilitate proportionate implementation of the AI Act, the applicability of certain obligations for high-risk AI systems would be deferred by up to 16 months.
  ✔ In particular, obligations applicable to high-risk AI systems in sensitive areas such as employment and law enforcement would be postponed from August 2026 to December 2027; and
  ✔ Obligations relating to high-risk AI systems embedded in medical devices would be deferred until August 2027, representing an extension of up to 12 months.
• Simplified compliance measures previously applicable only to SMEs (including lighter technical documentation requirements) would be extended to SMCs with fewer than 750 employees, thereby enabling approximately 8,250 additional businesses to benefit from the simplified regime.
• High-risk AI systems used exclusively for internal, process-oriented purposes would be exempt from the obligation to register in the EU database.
  * Under the current AI Act, providers of high-risk AI systems are generally subject to a mandatory requirement to be registered in the EU database.
• Amendments to the GDPR shall explicitly recognize “legitimate interest” as a legal basis for the processing of personal data for the purposes of AI development and operation, thereby enabling the use of personal data in AI model training and deployment, provided that such processing does not infringe the rights of data subjects.
• Exceptionally, processing of “special categories of personal data” (i.e., sensitive data) would be permitted where strictly necessary for bias mitigation and fairness-enhancement measures in AI systems, provided robust protective measures are implemented.

(3) Reform of Cookie Rules to Reduce Consent Fatigue

• Under the current regime, users are frequently confronted with cookie banners and multiple click-through options each time they visit a website, contributing to so-called “consent fatigue.”
• In response, the Digital Omnibus proposes reform of the ePrivacy framework, including:
  (i) Introduction of a one-click consent mechanism for tracking technologies; and
  (ii) Centralized management of consent preferences at browser or operating-system level, with such preferences automatically applied across websites.

(4) Centralization of Cybersecurity Incident Reporting

• Currently, businesses must report cybersecurity incidents separately under multiple regimes — including the NIS2 Directive, the GDPR, and various sectoral frameworks such as financial cybersecurity rules — resulting in duplicated reporting obligations and, in some cases, delays.
• To address this, the Digital Omnibus would introduce a single-entry point for incident reporting, enabling businesses to submit incident information once and thereby satisfy all corresponding reporting obligations vis-à-vis the relevant authorities.

(5) Data Union Strategy

• The Data Union Strategy is intended to:
  (i) Establish “data labs” that aggregate public and private data in order to provide SMEs, researchers, and businesses with access to high-quality, sector-specific datasets for AI research and development;
  (ii) Develop new guidance, including model contractual clauses and standardized provisions for data access and cloud computing contracts, to improve legal certainty and transactional efficiency; and
  (iii) Introduce a Data Act Legal Helpdesk aimed at reducing the administrative burden on businesses by providing practical compliance support and interpretative guidance.

(6) European Business Wallet

• Under the European Business Wallet system, businesses will be issued a unique digital identity enabling authentication across the EU and allowing them to submit official documents through electronic signatures and timestamping.
  ✔ Licenses, permits, and certificates will likewise be securely stored and exchanged in the form of verified electronic documents.
  ✔ These digital procedures will have the same legal effect as traditional paper-based or in-person processes, and are expected to replace a substantial portion of existing corporate administrative procedures with fully digital alternatives.
  ✔ While its use will remain voluntary for private businesses, public authorities will be under a legal obligation to accept submissions and attestations issued via the Wallet.
• The European Commission is currently pursuing the development of the necessary system infrastructure with the aim of achieving full operational readiness and commercial rollout of the system within two years.

2. Key Takeaways

The European Commission estimates that digital and AI regulatory simplification measures could generate administrative cost savings of up to €5 billion by 2029, and that universal adoption of the European Business Wallet could yield annual cost savings of up to €150 billion. These estimates underscore a broader policy message: sustainable AI and digital sector growth and innovation require not only a balanced framework between user protection and industry promotion but also mitigation of compliance burdens.

In particular, the Digital Package — by (i) deferring the application of high-risk obligations under the AI Act by up to 16 months, and (ii) extending simplified compliance regimes from SMEs to SMCs — appears intended to provide businesses with sufficient time to prepare for regulatory requirements while supporting the safe and orderly growth of adjacent industries.

Similarly, Korea is advancing a national AI strategy through continued government-led efforts, including the announcement of a KRW 100 trillion investment plan in advanced strategic industries and the establishment of the National AI Strategy Committee. In this context, the EU’s move toward regulatory simplification may exert indirect influence on the future direction of Korea’s data and AI policy framework. Businesses should therefore closely monitor both domestic and international regulatory developments and proactively establish tailored AI governance structures aligned with their service models and risk profiles.

At the same time, the Digital Package has attracted critical commentary from certain stakeholders, who have raised concerns regarding a potential rollback of digital fundamental rights.³ As its implementation remains contingent upon negotiations among Member States and approval by the European Parliament, continued attention should be paid to the final legislative design and enforcement trajectory. 

¹ European Commission, Digital Omnibus Regulation Proposal, COM(2025) 837 final, Brussels, Nov 19, 2025, Digital Omnibus Regulation Proposal | Shaping Europe’s digital future.
² European Commission. “Simpler EU digital rules and new digital wallets to save billions for businesses and boost innovation,” Press Release, Nov 19, 2025, Simpler EU digital rules and new digital wallets to save billions for businesses.
³ Reuters. “EU to ease AI, privacy rules as critics warn of caving to Big Tech, Trump.” Reuters, Nov 19, 2025, EU eases AI, privacy rules as critics warn of caving to Big Tech | Reuters.

[Korean version] EU 집행위원회, ‘디지털 간소화 방안’ 발표